Ohio Implements Cybersecurity Legislation Regulating Insurance Companies’ Methods of Data Protection

On March 20, 2019, the recently enacted Ohio Senate Bill 273 went into effect. The new law applies to insurers licensed, authorized, or registered to do business within the state. This new regulatory measure aims to set a standard for data protection as well as notifications for data breaches. Ohio is joining South Carolina and Michigan in the enactment of stricter laws for insurance companies. The law will have a major impact on insurers in various ways including but not limited to:

  • requiring insurers to adopt a written cybersecurity program and implement safeguards
  • obligating insurers to conduct risk assessments
  • demanding that insurers implement incident response plans and fulfill reporting obligations

Written Cybersecurity Program and Safeguards

Under the new law, companies will be required to develop, implement, and maintain comprehensive written security programs. The security program’s complexity should match the size of the specific company. Factors such as nature and scope of the company’s activities, the number of third party providers it utilizes, and the amount of nonpublic information it possesses and controls will determine how complex each individual security program must be. In addition to the security program, companies must also implement safeguards within those programs.

The safeguards in the security program must contain administrative, technical, and physical safeguards to protect nonpublic information by: 1) protecting the security and confidentiality of the nonpublic information and the security of the information system; 2) protecting against unauthorized access to the nonpublic information and minimizing the likelihood of harm to any consumer; and 3) creating a mechanism for the nonpublic information’s destruction when it no longer serves a relevant purpose.

Risk Assessments

Insurance companies will be expected to identify reasonably foreseeable internal and external threats that could result in unauthorized access to the nonpublic information they possess, maintain, and otherwise process. This also includes nonpublic information held by third-party service providers. Further, insurers will need to assess the potential damage of internal and external threats by reviewing the sufficiency of their policies, procedures, information systems, and safeguards discussed above. Insurers must repeat this process at least annually to refresh these data protections and, as a more general principle, insurers are required to continually work to manage the threats identified during any assessments.

Incident Response Plans, Reporting Obligations, and Safe Harbor

Insurers are required to create and maintain a written incident response plan that is designed to respond to and recover from a security breach. These plans must address numerous steps such as internal processes for response to a breach, designation of roles and authority internally in case of a breach, and evaluation and revision of their plans following a breach. In the case of a breach, an insurance company is required by statute to report the incident to the Ohio Department of Insurance following a prompt investigation of the event. It is important to note that not every breach is reportable under the law. If the only compromised information was encrypted and the encryption process is not also compromised, then the breach does not need to be reported. However, it may behoove companies to fulfill the process and report the breach to ensure full compliance.

Similar to the recently enacted Ohio Data Protection Act, insurers that maintain a cybersecurity program that reasonably conforms to an industry-recognized cybersecurity framework would be able to assert an affirmative defense to any tort claim arising from any personal consumer information breaches. Beyond that, certain small insurers (those with fewer than 20 employees or generating less than $5 million in gross annual revenue) are excluded from the information security program requirements, and HIPAA-compliant insurers are deemed to meet the new law’s requirements. Notwithstanding these safe harbor provisions, insurers must assess the manner in which they obtain, store, process, and distribute consumer data in the immediate future to ensure compliance with this new law.

Looking Ahead

It is imperative that insurance companies actively pursue a detailed approach to compliance under this statute. The requirements are extensive and will require a team comprised of IT and legal professionals to ensure compliance. Our experienced attorneys at Dickie, McCamey & Chilcote, P.C. will continue to provide updates on this latest development (and others to be forthcoming) as the global and national trend toward stricter data privacy and cybersecurity regulation continues. If you have any questions or concerns, please contact us, and we will be happy to work with you to help equip your company for compliance in this constantly evolving area.

The material on this site is for general informational purposes only and is not intended to be, and should not be construed to be, legal advice. There shall be no liability accepted as a result of any improper reliance on the material on this site. A qualified lawyer should always be consulted with regard to any specific legal issue or problem.